#!/usr/bin/perl
#### script that looks for security updates on yum based systems like CentOS
###
### http://code.google.com/p/yum-security-check/
### v 0.1
####
use warnings;
use strict;
use Expect::Simple;
use Term::ANSIColor qw(:constants);

$| = 1;
print "getting list of all packages...";
my @packages = `/usr/bin/yum check-update | grep -v "^Loaded plugins" | grep -v ^\$ | awk '{print \$1}'| grep -v updates | grep -v ^\* | grep -v Excluding | grep -v Finished | grep -v Skipping | grep -v Determining | grep -v Loading`;
print GREEN, "done\n", RESET;
chomp foreach @packages;
my $cnt = 0;
my $upcmd = '/usr/bin/yum --changelog update ';
my $update_needed = 0;
my $send_mail = 1;
my $packages_num = $#packages + 1;
my $security_info = "You need to update this server,\ntotal of $packages_num packages are set for update - the following have security issues:\n";
### enter emails to send reports to
my @mails_to = qw(
sysadmin@our.company
support@other.company
);
my $ip = `/sbin/route -n | grep "^0" | awk '{print \$8}' | xargs /sbin/ifconfig | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1`;
chomp $ip;
foreach (@packages) {
	print "Checking package $_ (", $cnt++, "/$#packages) ";
	my $eobj = new Expect::Simple { 
		Cmd => "/usr/bin/yum --changelog update $_",
		Prompt => [ -re => 'Is this ok.*'],
		DisconnectCmd => 'n',
		Verbose => 0,
		Timeout => 300,
        };
	my $str = $eobj->before;
	if ($str =~ /CVE-20\d\d/) {
		$str =~ /Changes in packages about to be updated:\s*(.*)\s*Depend/s;
		$str =~ s/\n\n//g;
		print RED, BOLD, "SECURITY UPDATE NEEDED", RESET;
		print "\n--------\n$1\n----------\n";
		$security_info .= "\n=========$_==============\n$1\n";
		$upcmd .= "$_ ";
		$update_needed = 1;
	} else {
		print GREEN, BOLD, "package OK\n", RESET;
	}
}
$security_info .= "\n\nYou need to run:\n$upcmd\n";
if ($update_needed) {
	open FILE, ">/tmp/sec_updates_info";
	print FILE $security_info;
	close FILE;
	print "------\n\nYou need to update this server - run:\n $upcmd\n";
	if ($send_mail) {
		foreach (@mails_to) {
			`mail -s "$ip needs update" $_ < /tmp/sec_updates_info`;
		}
	}
}
else {
	print "------\n\nNo securiity updates needed.\n";
}


